GNUnet 0.21.1
crypto_cs.c File Reference

Clause Blind Schnorr signatures using Curve25519. More...

#include "platform.h"
#include "gnunet_util_lib.h"
#include <sodium.h>
#include <gcrypt.h>
Include dependency graph for crypto_cs.c:

Go to the source code of this file.


void GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv)
void GNUNET_CRYPTO_cs_private_key_get_public (const struct GNUNET_CRYPTO_CsPrivateKey *priv, struct GNUNET_CRYPTO_CsPublicKey *pub)
 Extract the public key of the given private key. More...
static void map_to_scalar_subgroup (struct GNUNET_CRYPTO_Cs25519Scalar *scalar)
 Maps 32 random bytes to a scalar. More...
void GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsSessionNonce *nonce, const char *seed, const struct GNUNET_CRYPTO_CsPrivateKey *lts, struct GNUNET_CRYPTO_CsRSecret r[2])
 Derive a new secret r pair r0 and r1. More...
void GNUNET_CRYPTO_cs_r_get_public (const struct GNUNET_CRYPTO_CsRSecret *r_priv, struct GNUNET_CRYPTO_CsRPublic *r_pub)
 Extract the public R of the given secret r. More...
void GNUNET_CRYPTO_cs_blinding_secrets_derive (const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed, struct GNUNET_CRYPTO_CsBlindingSecret bs[2])
 Derives new random blinding factors. More...
static void cs_full_domain_hash (const struct GNUNET_CRYPTO_CsRPublic *r_dash, const void *msg, size_t msg_len, const struct GNUNET_CRYPTO_CsPublicKey *pub, struct GNUNET_CRYPTO_CsC *c)
 Computes a Hash of (R', m) mapped to a Curve25519 scalar. More...
static void calc_r_dash (const struct GNUNET_CRYPTO_CsBlindingSecret *bs, const struct GNUNET_CRYPTO_CsRPublic *r_pub, const struct GNUNET_CRYPTO_CsPublicKey *pub, struct GNUNET_CRYPTO_CsRPublic *blinded_r_pub)
 calculate R' More...
void GNUNET_CRYPTO_cs_calc_blinded_c (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2], const struct GNUNET_CRYPTO_CsRPublic r_pub[2], const struct GNUNET_CRYPTO_CsPublicKey *pub, const void *msg, size_t msg_len, struct GNUNET_CRYPTO_CsC blinded_c[2], struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind)
 Calculate two blinded c's. More...
void GNUNET_CRYPTO_cs_sign_derive (const struct GNUNET_CRYPTO_CsPrivateKey *priv, const struct GNUNET_CRYPTO_CsRSecret r[2], const struct GNUNET_CRYPTO_CsBlindedMessage *bm, struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig)
 Sign a blinded c. More...
void GNUNET_CRYPTO_cs_unblind (const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar, const struct GNUNET_CRYPTO_CsBlindingSecret *bs, struct GNUNET_CRYPTO_CsS *signature_scalar)
 Unblind a blind-signed signature using a c that was blinded. More...
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig, const struct GNUNET_CRYPTO_CsPublicKey *pub, const void *msg, size_t msg_len)
 Verify whether the given message corresponds to the given signature and the signature is valid with respect to the given public key. More...


static const unsigned char L_BIG_ENDIAN [32]

Detailed Description

Clause Blind Schnorr signatures using Curve25519.

Lucien Heuzeveldt
Gian Demarmels

Definition in file crypto_cs.c.

Function Documentation

◆ map_to_scalar_subgroup()

static void map_to_scalar_subgroup ( struct GNUNET_CRYPTO_Cs25519Scalar scalar)

Maps 32 random bytes to a scalar.

This is necessary because libsodium expects scalar to be in the prime order subgroup.

[in,out]scalarcontaining 32 byte char array, is modified to be in prime order subgroup

Definition at line 69 of file crypto_cs.c.

71 /* perform clamping as described in RFC7748 */
72 scalar->d[0] &= 248;
73 scalar->d[31] &= 127;
74 scalar->d[31] |= 64;
unsigned char d[crypto_core_ed25519_SCALARBYTES]
32 byte scalar

References GNUNET_CRYPTO_Cs25519Scalar::d.

Referenced by GNUNET_CRYPTO_cs_blinding_secrets_derive(), and GNUNET_CRYPTO_cs_r_derive().

Here is the caller graph for this function:

◆ cs_full_domain_hash()

static void cs_full_domain_hash ( const struct GNUNET_CRYPTO_CsRPublic r_dash,
const void *  msg,
size_t  msg_len,
const struct GNUNET_CRYPTO_CsPublicKey pub,

Computes a Hash of (R', m) mapped to a Curve25519 scalar.

hashinitial hash of the message to be signed
pubdenomination public key (used as salt)
[out]cC containing scalar

Definition at line 152 of file crypto_cs.c.

158 // SHA-512 hash of R' and message
159 size_t r_m_concat_len = sizeof(struct GNUNET_CRYPTO_CsRPublic) + msg_len;
160 char r_m_concat[r_m_concat_len];
161 memcpy (r_m_concat,
162 r_dash,
163 sizeof(struct GNUNET_CRYPTO_CsRPublic));
164 memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic),
165 msg,
166 msg_len);
167 struct GNUNET_HashCode prehash;
169 GNUNET_CRYPTO_hash (r_m_concat,
170 r_m_concat_len,
171 &prehash);
173 // modulus converted to MPI representation
174 gcry_mpi_t l_mpi;
177 sizeof(L_BIG_ENDIAN));
179 // calculate full domain hash
180 gcry_mpi_t c_mpi;
182 l_mpi,
183 pub,
184 sizeof(struct GNUNET_CRYPTO_CsPublicKey),
185 &prehash,
186 sizeof(struct GNUNET_HashCode),
187 "Curve25519FDH");
188 gcry_mpi_release (l_mpi);
190 // convert c from mpi
191 unsigned char c_big_endian[256 / 8];
193 sizeof(c_big_endian),
194 c_mpi);
195 gcry_mpi_release (c_mpi);
196 for (size_t i = 0; i<32; i++)
197 c->scalar.d[i] = c_big_endian[31 - i];
struct GNUNET_MessageHeader * msg
Definition: 005.c:2
static const unsigned char L_BIG_ENDIAN[32]
Definition: crypto_cs.c:137
static struct GNUNET_CRYPTO_EddsaPublicKey pub
Definition: gnunet-scrypt.c:47
void GNUNET_CRYPTO_hash(const void *block, size_t size, struct GNUNET_HashCode *ret)
Compute hash of a given block.
Definition: crypto_hash.c:41
void GNUNET_CRYPTO_mpi_scan_unsigned(gcry_mpi_t *result, const void *data, size_t size)
Convert data buffer into MPI value.
Definition: crypto_mpi.c:132
void GNUNET_CRYPTO_kdf_mod_mpi(gcry_mpi_t *r, gcry_mpi_t n, const void *xts, size_t xts_len, const void *skm, size_t skm_len, const char *ctx)
Deterministically generate a pseudo-random number uniformly from the integers modulo a libgcrypt mpi.
Definition: crypto_kdf.c:95
void GNUNET_CRYPTO_mpi_print_unsigned(void *buf, size_t size, gcry_mpi_t val)
Output the given MPI value to the given buffer in network byte order.
Definition: crypto_mpi.c:79
struct GNUNET_CRYPTO_Cs25519Scalar scalar
The public information of an Schnorr key pair.
the public R (derived from r) used in c
A 512-bit hashcode.

References GNUNET_CRYPTO_Cs25519Scalar::d, GNUNET_CRYPTO_hash(), GNUNET_CRYPTO_kdf_mod_mpi(), GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_CRYPTO_mpi_scan_unsigned(), L_BIG_ENDIAN, msg, pub, and GNUNET_CRYPTO_CsC::scalar.

Referenced by GNUNET_CRYPTO_cs_calc_blinded_c(), and GNUNET_CRYPTO_cs_verify().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ calc_r_dash()

static void calc_r_dash ( const struct GNUNET_CRYPTO_CsBlindingSecret bs,
const struct GNUNET_CRYPTO_CsRPublic r_pub,
const struct GNUNET_CRYPTO_CsPublicKey pub,
struct GNUNET_CRYPTO_CsRPublic blinded_r_pub 

calculate R'

bsblinding secret
pubpublic key

Definition at line 210 of file crypto_cs.c.

215 // R'i = Ri + alpha i*G + beta i*pub
216 struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base;
217 GNUNET_assert (0 ==
218 crypto_scalarmult_ed25519_base_noclamp (
219 alpha_mul_base.y,
220 bs->alpha.d));
221 struct GNUNET_CRYPTO_Cs25519Point beta_mul_pub;
222 GNUNET_assert (0 ==
223 crypto_scalarmult_ed25519_noclamp (
224 beta_mul_pub.y,
225 bs->beta.d,
226 pub->point.y));
227 struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base_plus_beta_mul_pub;
228 GNUNET_assert (0 == crypto_core_ed25519_add (
229 alpha_mul_base_plus_beta_mul_pub.y,
230 alpha_mul_base.y,
231 beta_mul_pub.y));
232 GNUNET_assert (0 ==
233 crypto_core_ed25519_add (
234 blinded_r_pub->point.y,
235 r_pub->point.y,
236 alpha_mul_base_plus_beta_mul_pub.y));
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
unsigned char y[crypto_core_ed25519_BYTES]
This is a point on the Curve25519.
struct GNUNET_CRYPTO_Cs25519Scalar alpha
struct GNUNET_CRYPTO_Cs25519Scalar beta
struct GNUNET_CRYPTO_Cs25519Point point

References GNUNET_CRYPTO_CsBlindingSecret::alpha, GNUNET_CRYPTO_CsBlindingSecret::beta, GNUNET_CRYPTO_Cs25519Scalar::d, GNUNET_assert, GNUNET_CRYPTO_CsRPublic::point, pub, and GNUNET_CRYPTO_Cs25519Point::y.

Referenced by GNUNET_CRYPTO_cs_calc_blinded_c().

Here is the caller graph for this function:

Variable Documentation


const unsigned char L_BIG_ENDIAN[32]
Initial value:
= {
0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7,
0x9c, 0xd6, 0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed

Definition at line 137 of file crypto_cs.c.

Referenced by cs_full_domain_hash().